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Cryptographic method and apparatus for non-linearly merging a data block and a key 



The invention relates to a method for converting a digital input block into 
a digital output block; said conversion comprising the step of merging a selected part Ml of 
said digital input block with a first key Kl and producing a data block Bl which non-linearly 
depends on said selected part Ml and said first key Kl, and where a selected part of said 
5 digital output block is derived from said data block BL 

The invention further relates to an apparatus for cryptographically con- 
verting a digital input block into a digital output block; said apparatus comprising first input 
means for obtaining said digital input block; second input means for obtaining.a first key Kl; 
cryptographic processing means for converting the digital input block into the digital output 
10 block; said conversion comprising merging a selected part Ml of said digital input block with 
said first key Kl and producing a data block Bl which non-linearly depends on said selected 
part Ml and said first key Kl, and where a selected part of said digital output block is 
derived from said data block Bl; and output means for outputting said digital output block. 

15 The Data Encryption Standard (DES) of the National Bureau of Standard 

[FIPS publication 46, 1977 January 15] describes a widely used algorithm for converting a 
digital input block into a digital output block. Such an algorithm is generally referred to as a 
block cipher. The DES algorithm is used for encrypting (enciphering) and decrypting 
(deciphering) binary coded information. Encrypting converts intelligible data, referred to as 

20 plaintext, into an unintelligible form, referred to as ciphertext. Decrypting the ciphertext 

converts the data back to its original form. In the so-called electronic code book mode, DES 
is used to encrypt blocks of 64 bits of plaintext into corresponding blocks of 64 bits of 
ciphertext. In this mode, the encryption uses keys which are derived from a 64 bit key, of 
which 56 bits may be freely selected. Figure 1 shows the overall structure of DES during 

25 encrypting. In the encrypting computation, the input (64 bit plaintext) is first permuted from 
64 bits into 64 bits using a fixed permutation IP. The result is split into 32 left bits Lq and 32 
right bits Rq. The right bits are transformed using a cipher function f^K^, where Kj is a 
sub-key. The result f(Ro,K,) is added (bit-wise modulo 2) to the left bits, followed by 
interchanging the two resulting 32 bit blocks Lq © f(Ro,K,) and Rq. This procedure is 
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. continued iteratively Tor a total of 16 rounds. At the end of the last round the inverse permu- 
tation of the initial permutation IP is applied. 

In the calculation of ffR^K^) the 32 right bits 1^ are first expanded to 48 
bits in the box E, as illustrated in figure 2. According to a given table this expansion is per- 
5 formed by taking some input bits twice as an output bit and others only once. Then, the 
expanded 48 bits are added (bit-wise modulo 2) to the 48 key bits Kj. The resulting 48 bits 
are split into 8 groups of 6 bits each. Each of these groups is processed by an S box 
which reduces the 6 bits to 4 bits in a non-linear operation. The eight S t boxes are given in 
the form of a table. The total output is 32 bits, which is permuted in the box P. P is also 

10 given in the form of a table. 

Figure 3 illustrates the key schedule calculation. The key consists of 64 
bits, of which only 56 are used in the algorithm. Those 56 bits should be chosen randomly. 
Eight complementing error detecting bits are used to make the parity of each .byte of the key 
odd. The selection of the 56 bits is performed in box PCI, together with a permutation. The 

15 result is split into two 28 bit words Q and D 0 . To obtain the 48 key bits for each round, first 
the words C 0 and D 0 are left shifted once or twice. A selection and a permutation PC2 are 
then applied to the result. The output of PC2 is the 48 bit sub-key K { which is used in 
fCRo,^). The process of shifting, selecting and permutating is repeated to generate a sub-key 
for each round. A table specifies how many shifts must be performed to obtain the next 48 

20 bits of the sub-key for the following round. 

The same algorithm and key can be used for decrypting a ciphertext. The 
initial permutation for the decrypting cancels the inverse permutation of the encrypting. Each 
round consists of a, so-called, Feistel cipher. It is well-known that for Feistel-ciphers the 
inverse operation consists of using the same rounds as used for encrypting but applying the 

25 sub-keys in inverse order. As such, the first decrypting round must be supplied with the 
same sub-key as used for the sixteenth encrypting round, the second decrypting round must 
be supplied with the same sub-key as used for the fifteenth encrypting round, etc. It is also 
well-known how the DES algorithm can be used in other encryption modes, such as the 
cipher feedback mode. In this mode, the DES algorithm is used to generate a stream of 

30 statistically random binary bits, which are combined with the plaintext, using, for instance, 
an exclusive-or logic operation. 

The DES algorithm, in essence, comprises an initial permutation, 
followed by sixteen key-dependent computations on part of the data and terminated with an 
inverse permutation. Each key dependent computation comprises adding (modulo 2) key- 



3 24.03.1997 

dependent bits to the data part, followed by a non-linear operation on sub-blocks of the data 
part, and terminated by a permutation (linear operation) of the data part. 

In general, DES is considered to be a good encryption/decryption tool. It 
is, however, an open question whether or not DES has remained secure over the past years, 
particularly in view of the recent very powerful differential cryptanalytic attacks. 

It is an object of the invention to provide a cryptographic method and 
apparatus of the kind set forth which is more robust against cryptanalytic attacks. 

To achieve this object, the cryptographic method according to the 
invention is characterised in that said merging step is performed by executing a non-linear 
function g for non-linearly merging said selected part Ml and said first key Kl in one, 
sequentially inseparable step. In the DES system, as shown in figure 2, in a first processing 
step the R data is bit-wise added to the key, followed by a second processing step of non- 
linearly processing the result (S-boxes). According to the invention, an algorithm is used 
which non-linearly merges data with a key in one step (i.e. one, sequentially inseparable 
step). As such, adding the key bits to the data is an integrated part of the non- linear 
operation, making the system more immune against modern attacks, such as differential 
cryptanalysis. 

In an embodiment of the method according to the invention as defined in 
the dependent claim 2, in each round both parts of the digital input block are processed, 
giving a better encryption result than for conventional Feistel ciphers, such as DES, where 
during each round only half of the digital input block is freing processed. To ensure that the 
same system can be used for both encryption and decryption, one part of the data is pro- 
cessed using an operation g, whereas the other half is processed using the inverse operation 
g' 1 . Using this scheme, decrypting is performed by using the same system but supplying the 
keys in reverse order to the rounds (during decryption the first non-linear step is supplied 
with the key which, during encryption, was supplied to the last non-linear step, etc ). 
Compared to a conventional implementation of a Feistel cipher with twice as many rounds, 
the system according to the invention is faster. 

The measure as defined in the dependent claim 3, wherein a relatively 
large data block and key, of for instance 64 bits, are split into smaller sub-blocks and sub- 
keys simplifies real-time non-linear processing. 

In an embodiment of the method according to the invention as defined in 
the dependent claim 5, a constant is used to enhance the quality of the encryption. Advan- 
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" tageously, the constant is predetermined per system, forming, for instance, a customer- 
specific constant. Alternatively, the constant is generated using a pseudo-random generator. 

The measure defined in dependent claim 6 provides a way for non-linearly 
merging the data sub-block and the sub-key in one step. Additionally, different inputs all 
5 result in different outputs. This increases the immunity of the system against cryptanalytic 
attacks, compared to DES where the non-linear operation reduces the 6-bit input sub-block to 
a 4-bit output sub-block, implying that the same output is produced for four different inputs. 

In an embodiment of the method according to the invention as defined in 
the dependent claim 7 a constant is used to enhance the quality of the encryption. Advan- 
10 tageously, the constant is predetermined per system, forming, for instance, a customer- 
specific constant. Alternatively, the constant is generated using a pseudo-random generator. 
iE The measure as defined in the dependent claim 8 increases the quality of 

i?j the encryption even further. 

s f In an embodiment of the method according to the invention as defined in 

=05 the dependent claim 10 individual sub-blocks corresponding to different parts of the digital 

input block are swapped to improve the quality of the encryption. 
]:~f Preferably, the sub-block m^ comprises eight data bits. This further 

Q improves the quality of the non-linear operation compared to DES, where the non-linear 

operation converts six to four bits. 
^0 The measure as defined in the dependent claim 11 has the advantage of 

reducing the multiplication in GF(2 8 ) to operations in GF(2 4 ), making it possible to achieve a 
simpler or more cost-effective implementation. 

The measure defined in the dependent claim 12 gives an effective way of 
reducing the multiplication in GF(2 8 ) to operations in GF(2 4 ). 
25 An embodiment of the method according to the invention is characterised 

in that 0 is a root of an irreducible polynomial h(x) = x 4 + x 3 + x 2 + x + 1 over GF(2). 
This is a preferred choice for (3, allowing the use of the so-called shifted polynomial base. 

An embodiment of the method according to the invention is characterised 
in that calculating the inverse of an element of GF(2 8 ) comprises performing a series of 
30 calculations in GF(2 4 ). By reducing the inverse operation in GF(2 8 ) to operations in GF(2 4 ) a 
simpler or more-cost effective implementation can be achieved. 

An embodiment of the method according to the invention is characterised 
in that calculating the inverse of said element b comprises calculating 
(a 0 2 +a 0 a 1 +a 1 2 j3)' l ((a 0 -t-a^+ajD). This is an effective way of reducing the inverse operation 
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* in GF(2 8 ) to operations in GF(2 4 ). 

An embodiment of the method according to the invention is characterised 
in that said first key Kl comprises 64 data bits and wherein each of said sub-keys k, 
comprises eight data bits. By using a large key the quality of the encryption is increased. 
5 To achieve the object of the invention, the apparatus according to the 

invention is characterised in that said cryptographic processing means is arranged to perform 
said merging by executing a non-linear function g for non-linearly merging said selected part 
Ml and said first key Kl in one, sequentially inseparable step. 

10 These and other aspects of the invention will be apparent from and 

elucidated with reference to the embodiments shown in the drawings. 



iH Figure 1 shows the processing steps for the DES system, - 

■F Figure 2 illustrates details of merging the data with the key and the non- 

=£15 linear operation in DES, 

" : Figure 3 illustrates details of the key calculation in DES, 

It Figure 4 shows a block diagram of the cryptographic apparatus, 

0 Figure 5 illustrates separate processing of two parts of the digital input 

1 4 block, 

^'20 Figure 6 illustrates processing of a part of the digital input block in the 

form of sub-blocks, 

Figure 7 illustrates processing of two parts in the form of sub-blocks, and 
Figure 8 shows an overall encryption system. 



25 Figure 4 shows a block diagram of the cryptographic apparatus 400 

according to the invention. For the purpose of explaining the invention, the system is 
described in the electronic code book mode. Persons skilled in the art will be able to use the 
system in other modes as well. The apparatus 400 comprises first input means 410 for 
obtaining a digital input block ML The digital input block M may be any suitable size. 

30 Preferably, M is sufficiently large, for instance 128 bits, to obtain a reasonably secure 

encryption result. The apparatus 400 further comprises cryptographic processing means 420 
for converting the digital input block into a digital output block. Advantageously, the digital 
output block has substantially equal length as the digital input block. The apparatus 400 
comprises output means 430 for outputting the digital output block. Basically, the 
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cryptographic processing means 420 converts the digital input block M into the digital output 
block by merging a selected part Ml of the digital input block M with a first key Kl, pro- 
ducing a data block Bl which non-linearly depends on Ml and Kl. The merging is per- 
formed in one, sequentially inseparable step. The digital output block is derived from Bl and 
the remaining part of M, which is not part of Ml. To obtain the first key Kl, the 
cryptographic apparatus 400 comprises second input means 440. As will be described in 
more details below, a second part M2 of the digital input block may be non-linearly merged 
with a second key K2, preferably, using an operation inverse to the operation for merging 
Ml and Kl, producing a data block B2. In this case, the digital output block also depends on 
B2. To obtain the second key K2, the cryptographic apparatus 400 comprises third input 
means 450. 

It will be appreciated that the cryptographic apparatus 400 may be 
implemented using a conventional computer, such as a PC, or using a dedicated 
encryption/decryption device. The digital input block may be obtained in various ways, such 
as via a communication network, from a data storage medium, such as a harddisk or floppy 
disk, or directly being entered by a user. Similarly, the digital output block may be output in 
various ways, such as via a communication network, stored on a data storage medium, or 
displayed to a user. Preferably, secure means are used to this end. The cryptographic 
processing means 420 may be a conventional processor, such as for instance used in personal 
computers, but may also be a dedicated cryptographic processor. The cryptographic 
apparatus 400 may, in part or in whole, be implemented on a smart-card. 

In the remainder of the document details of the cryptographic conversion 
are given for encrypting blocks of 128 bits of plaintext into corresponding blocks of 128 bits 
of ciphertext. Persons skilled in the art will be able to use the system for other block sizes as 
well. Data sizes shown in the Figures are given for reasons of clarity and should be treated 
as examples only. The description focuses on the non-linear processing of the data and the 
merging of the key with the data as performed in one round. As such the invention can be 
applied in a system as shown in Figure 1, comprising multiple rounds and also including a 
linear operation on the data block in each round. 

As shown in Figure 5, the message block M of 128 bits is divided into a 
first part Ml and a second part M2 (a left and a right block). Preferably, both parts are of 
equal size, 64 bits. It will be appreciated that Ml and M2 may also be derived from M using 
a more complicated selection process. Ml is processed using a non-linear function g. In 
principle, it is not required to process M2 during the same round. Advantageously, M2 is 
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processed in the same round using the inverse function g" 1 . Each of the functions g and g" 1 
non-linearly merges, Ml or, respectively, M2 with a key Kl or, respectively K2. Preferably, 
the data parts and the keys have the same size. Since it is difficult to implement a good non- 
linear operation on a large data block and non-linearly processing a large data block is time 
consuming, the data parts Ml and M2 are split into sub-blocks. Figure 6 illustrates this for 
Ml. Figure 7 illustrates the splitting of Ml and M2. Using 64-bit data parts Ml and M2, 
advantageously, the parts are each split into eight 8-bit elements, where Ml = 
(m^ m l9 ..., m 7 ) and M2 = (m 8 , m 9 ,...,m 15 ). The two keys Kl and K2 may be derived from 
a larger key, for instance, by splitting a 128 bit key into two 64-bit keys Kl and K2. The 
two keys Kl and K2 may be split further. Using 64-bit keys, advantageously, each key is 
split into 8-bit sub-keys, giving a total of sixteen 8-bit sub-keys kj, j = 0..15. Each of the 
sub-keys kj is associated with the corresponding sub-block mj. Each sub-block is processed 
separately. Preferably, the sub-blocks are processed in parallel. If preferred, the sub-blocks 
relating to one round may also be serially processed. The first group of sub-blocks, forming 
Ml, are each processed by a cipher function f. The second group of sub-blocks are each 
processed by the inverse function f 1 . 

For the cryptographic operations, an n-bit sub-block or sub-key is con- 
sidered to represent an element of GF(2 n ) (Galois Field). All operations are, therefore, in 
GF(2 n ). 

In its basic form, the cipher function f has two inputs m, and kj and one 
output tj as also illustrated in figures 6 and 7, where t- = f(m j5 kj), for j = 0 to 7. In the 
basic form, the cipher function f involves one operation h(bj, kj) with an output of substan- 
tially equal size as bj. The function h has a data sub-block bj and a sub-key kj as input, where 
bj = nij for the basic form of the cipher function f . The function f (in this embodiment the 
same as the function h) is defined as follows for j = 0..7: 
1. h(bj, kj) = (bj . k,)- 1 , if bj * 0, kj * 0, and bj * k, 

(k } y\ if bj = 0 

(bj)" 2 , if kj = 0 

0, if bj = k 3 

Similarly, in its basic form the inverse cipher function f 1 has two inputs 
nij and kj and one output ^ as also illustrated in figures 6 and 7, where ^ = f \m p k), for j 
= 8 to 15. The inverse cipher function f 1 involves also one operation, h'^bj . kj) with an 
output of substantially equal size as bj. The function h" 1 is the inverse of h. As before, b } = 
nij in the basic form of the cipher function f l . The function f 1 (in this embodiment the same 
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as the functions h' 1 ) is defined as follows for j = 8.. 15: 
1. h'^bj . k,)= (bj . k,)" 1 , if bj ^ 0, k, ^ 0, and b } . k*;* x 

k r if bj = 0 

(bj)-*, if kj = 0 

0, if bj . k, 2 = 1 

In a further embodiment, the outputs tj of the cipher functions f (t, = f(m i9 
kj), for j =0 to 7) and the outputs of the inverse cipher function f 1 (tj = f ^nij, kj), for j = 
8 to 15) are swapped in the following manner: tj <-> t 15 .j for j =0 to 7. This is illustrated 
in Figure 7. 

In a further embodiment, a constant is added (bit-wise module 2) to each 
data sub-block mj before executing the function h. Preferably, eight independent constants pj 
(j = 0..7) are used, each being added to the corresponding data sub-block mj. The same 
function h is used as before, now operating on bj = nij © p jB The cipher function f is now 
defined as follows: 

1. b^m,®^ 

2. h(b j5 kj) = (bj . kj) 1 , if bj * 0, kj y£ 0, and bj ?i kj 

(kj)" 2 , if b, = 0 
(bj) 2 , ifkj=0 
0, if bj = kj 

Similarly, for the inverse cipher function f 1 also a constant is added (bit-wise module 2) to 
each data sub-block nij. To allow the inverse function f 1 to be used to decrypt text encrypted 
using the cipher function f, the constant is added after the function h. Preferably, the same 
eight independent constants pj (j = 0..7) are used as used for the cipher function f. Now, the 
constants Pj are being added to the 15-j-th stream 

(j = 0..7). As a consequence, the inverse cipher function f l involves the following two 
operations (j = 8.. 15): 

1- h-'Cb, . k) = (bj . k,)-\ if b 3 * 0, kj * 0, and bj . k, 2 * 1 

k,, if bj = 0 

(b^, ifk J = 0 

0, if bj . kj 2 = 1 

2. tj = h-^bj . k,) 0 p^ 

Finally, tj and t 15 .j are swapped (j = 0..7). 

In a further embodiment, a further constant is added (bit-wise module 2) 
to each data sub-block mj after executing the function h. Preferably, eight independent 
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" constants dj (j = 0. .7) are used, each being added to the corresponding data sub-block m r 
The same function h is used as before. The cipher function f is now defined as follows: 



" 1. bj-mjep, 

2. h(bj, k) = (bj . kj)" 1 , if b, * 0, kj * 0,'and b J? f^ 
5 (kj)" 2 , if bj = 0 

(bj)" 2 , if kj = 0 

0, if bj = kj 

3. t, = h(bj, k,) © ^ 



Similarly, for the inverse cipher function f 1 also a constant is added (bit- wise module 2) to 
10 each data sub-block m r To allow the inverse function f 1 to be used to decrypt text encrypted 
using the cipher function f, the constant is added before executing the function h. Preferably, 
the same eight independent constants dj (j = 0..7) are used as used for the cipher function f. 
Now, the constants dj are being added to the 15-j-th stream (j = 0..7). The same function h 1 
is used as before, now operating on bj = m i © d 15 .j. As a consequence, the inverse cipher 
15 function f 1 involves the following three operations (j = 8.. 15): 

1. bj = mj©d 15 .j. 

2. h-^bj . kj) = (bj . kj)" 1 , if bj * 0, k, * 0, and bj . kj 2 ?* 1 

kj, if bj = 0 

(bj)-*, if kj = 0 

-20 0, if bj . kj 2 = 1 

3. tj = h-'(bj . © p 15 .j 
Finally, tj and t 15 .j are swapped (j = 0..7). 

It will be appreciated that it is also possible to use the constants d, without using constants p r 
In a further embodiment, the cipher function f raises the outcome of the 
25 function h to a power of two. The same function h is used as before. The cipher function f is 
now defined as follows: 



1 . bj = m, © pj 

2. h(bj, kj) = (bj . kj)- 1 , if bj * 0, kj * 0, and bj * ^ 

(kj)" 2 , if bj = 0 
30 (bj) 2 , if kj = 0 

0, if bj = kj 

3. Sj = h(bj, k,) 2,i 

4. tj = Sj © dj 



Similarly, the inverse cipher function f 1 also raises a data sub-block to a power of 2. To 
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' allow the inverse function f 1 to be used to decrypt text encrypted using the cipher function f , 
the additional operation is performed before executing the function h. The same function h" 1 
is used as before, now operating on b } = m : © d 15 _j. As a consequence, the inverse cipher 
function f l involves the following four operations (j = 8.. 15): 

5 1. q, = nij 0 d,^ 

2. bj = q s 2 [W 

2. h-'(bj . kj) = (bj . k,) 1 , if bj ?s 0, kj ?£ 0, and bj . k, 2 ^ 1 

kj, if bj = 0 

(b-)-'\ if = 0 
10 0, if bj . kj 2 = 1 

3. ^ = h- 1 ^ . k,) e 

Finally, tj and t 15 .j are swapped (j = 0..7). 

It will be appreciated that it is also possible to use the operation of raising toa power of 2 
= without using one or both of the constants dj and p r 

\15 For decrypting the same algorithm is used as for encrypting, but the sub- 

3 keys are swapped: instead of kj, k 15 .j is used, j = 0 .. 15. 

J The multiplication in GF(2 8 ) 

I In principle, for the invention any multiplication in GF(2 8 ) may be used. 

^20 An example of a VLSI implementation of multiplications in GF(2 m ) is given in [P. A. Scott, 
"A fast VLSI multiplier for GF(2 m )", IEEE Journal on selected areas in communications, 
Vol. SAC-4, No. 1, January 1986, pages 62-66]. Advantageously, the following mechanism 
is used to reduce the multiplication in GF(2 8 ) to a series of multiplications and additions in 
GF(2 4 ). 

25 Let in GF(2 4 ), jS be the non-trivial root of /3 5 = 1 (non-trivial means j8 ^ 

1, or, equally, (3 is the root of the irreducible polynomial h(x) = x 4 + x 3 ■+- x 2 + x + 1 
over GF(2), since: x 5 + 1 = (x + 1) (x 4 + x 3 + x 2 + x + 1) ). The normal base 0, /3 2 , (3\ 
j3 8 is taken as the base in GF(2 4 ). Since according to the polynomial jS 8 = /3 3 , this is the same 
as the so-called shifted polynomial base: /?, /3\ j3\ j3 4 . 

30 Let D be an element of GF(2 8 ), defined as a root of the irreducible 

polynomial k(x) = x 2 + x + jS over GF(2 4 ). Every element of GF(2 8 ) can be represented as 
ao + a^D, with and a 1 being elements of GF(2 4 ). In binary terminology, the number b of 
GF(2 8 ) can be represented using eight bits, arranged as a vector (ao, a^, with ao, a t having 
four bits, representing numbers of GF(2 4 ). As such, the base in GF(2 8 ) is: 0, j3 2 , j3 3 , j3\ Dj3, 
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D/3 2 , D/3 3 , DjS 4 . Two elements b and c of GF(2 8 ), represented as b = ao + a t .D and c = a 2 
+ a 3 .D, with % S GF(2 4 ), can be multiplied as follows: 

♦ 

b.c = (ao + a 1 .D).(a 2 + a 3 .D) = aoa 2 + (a 1 a 2 + a^.D + a^.D 2 . 

Using the fact that D is a root of k(x), which implies that: D 2 = D 4- 0, this gives the 

multiplication result: 

b.c = (a 0 a 2 + aja 3 /3) + (a^ + a 0 a 3 + a 1 a 3 ).D. 

This has reduced the multiplication of two elements of GF(2 8 ) to a series of multiplications 
and additions in GF(2 4 ) . 

The inverse in GF(2 8 ) 

In principle any known method may be used to calculate the inverse of an 
element in GF(2 8 ). Advantageously, if the previous method has been used to reduce the 
multiplication in GF(2 8 ) to a multiplication in GF(2 4 ), then the following method is used to 
reduce the inverse operation in GF(2 8 ) to an inverse operation in GF(2 4 ). 

The inverse b* 1 of an element b in GF(2 8 ), where b is represented as b = 
ao + aj.D, with a t €E GF(2 4 ), is given by: 

b* 1 = (ao 2 4- a 0 a 1 4- a^jS)' 1 .^ + a t 4- ajD), since: 

b^.b = (ao 2 4- ^ x 4- * x 2 &y\(aQ + a x + a 1 D).(a 0 4- a t D) 
= (ao 2 + a 0 a 1 4- a^jS)' 1 .^ 2 4- aoai 4- afD + a t 2 D 2 ), 
and since D 2 4- D = jS, this gives: b" l .b = 1. 

In this way the inverse operation in GF(2 8 ) is reduced to an inverse operation in GF(2 4 ) and 
a series of multiplications and additions in GF(2 4 ). 

Multiplication in GF(2 4 ) 

In principle, any multiplication in GF(2 4 ) may be used. Advantageously, 
as described before, the shifted polynomial base /3, j8 2 , /3 3 , /3 4 is taken as the base in GF(2 4 ), 
where (3 is the root of the irreducible polynomial h(x) = x 4 4- x 3 4- x 2 4- x 4- 1 over GF(2), 
and j8 5 = 1 in GF(2 4 ). Since jS is a root of h, this implies: 

j3 4 + jS 3 4- 0 1 4- (3 = 1. Assuming that the base elements are named e t , e 2 , e 3 and e 4 , with e, 
= jS', the base elements are multiplied in the following way, using the definition of jS: 





• e, 


= /3.J8 : 


= /3 2 


= e 2 


e, 


•e 2 


= /3-/3 2 


= /3 3 




£i 


■e 3 


= i8./3 3 


= £ 4 


= e 4 


e, 


.e 4 


= 0.(3* 


= 0 5 


= 1 



12 24.03.1997 

e^e, = /3 2 ./3 2 = 0 4 = e 4 - 

e^e, = /3 2 ./3 3 = /3 5 = 1 = e , + e 2 -f e 3 + e 4 

e,.e 4 = 0 2 ./3 4 = 0 6 = 0 = e, 

e 3 -e 3 = /3 3 ./3 3 = /3 6 = 0 = e, 

e 3 .e 4 = /3 3 ./3 4 = /3 7 = /3 2 = e 2 

e 4 .e 4 = /3 4 ./3 4 = /3 8 = /3 3 = e 3 

This in principle defines the multiplication in GF(2 4 ). In binary terms the multiplication can 
be seen as follows. With respect to the base, each element b in GF(2 4 ) can be represented as 
b = b Q Q x + b^ + b 2 e 3 + b 3 e 4 , with b { G GF(2). As such, the element b can be represented 
by a 4-dimensional vector with binary components (b 0 , b u b 2 , b 3 ). On a micro-processor this 
can be represented using a nibble. In binary terms, the multiplication of two elements b and 
c in GF(2 4 ) can be seen as follows, assuming the two elements are represented by b = (b 0 , 

b 2> b 3 ) and c = (c 0 , c u c 2 , c 3 ). Multiplying the two elements in the normal way gives: 
b.c = (b 0 c 0 )j8 2 + (b 0 c x + b.Co)/? 3 4- (boC, 4- bfi x + b 2 c 0 )/3 4 + 

(b 0 C3 4- b x c 2 + b 2 c x + b 3 c 0 )iS 5 + (b^ + b^ + b 3 c 1 )/3 6 4- 

(b 2 C3 + b^ 7 + (b 3 c 3 )/3 8 
Using the definition of 0 to replace /3 5 by /3 4 + /3 3 + j8 2 + jS, /3 6 by /?, j8 7 by j3 2 , and /3 8 by 
/3 3 , gives the following four components: 

b.c = (t^Cg 4- b 2 C2 + b 3 Ci + b 0 c 3 4- b^ 4- b 2 Cj + b 3 c 0 )j3 + (b 0 c 0 4- b 2 c 3 + b 3 c 2 4- b 0 c 3 4- 
b i°2 + b 2 Ci + b 3 c 0 )/3 2 + (boC! + b^o 4- b 3 c 3 4- b 0 c 3 + b^ 4- b^ 4- b 3 c 0 )/3 3 + (b^ 4- b x z x 
+ b 2 Co + b 0 c 3 + b^ 4- b 2 c 1 + b 3 c 0 )/? 4 

The result of the multiplication, in binary terms, is, therefore, given by: 
b.c = ( b 1 c 3 4- b 2 C2 4- b 3 C! 4- b 0 c 3 4- b^ 4- b^ 4- b 3 c 0 , 

b 0 c 0 4- b 2 C3 -f b 3 C2 4- b 0 c 3 4- b^ 4- b 2 c x 4- b 3 c 0 , 

boC! 4- b x c Q 4- b 3 c 3 4- b 0 c 3 4- bjC^ 4- b 2 Cj 4- b 3 c 0 , 

b 0 C2 4- b : c } 4- b 2 c 0 4- b 0 c 3 4- bjCj 4- b^ 4- b 3 c 0 ) 

Inverse operation in GF(2 4 ) 

Using the normal base /3, /3 2 , /?\ /3 8 , each element x of GF(2 4 ) can be written as b = a.jS 4- 
b.0 1 4- c./3 4 4- d.0 8 , with a, b, c, d G GF(2). As such, each element can be represented by 
a 4-dimensional vector (a, b, c, d). 
In order to obtain the inverse of b (b" 1 ): 

calculate the following intermediate results: ab, ab", Tb, be, be, be", cd, ~cd, 
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cd, da, da, da, where ab is the binary AND of a and b (a AND b) and 7 is 
the binary complement of a (NOT a). 

calculate the first bit of b" 1 by using cd, cd, cd, ab, be", and "da as follows: 
(cd) OR (7 AND cd) OR ( cd AND 7b) OR (be AND 7a) 
calculate the second bit of b" 1 by using da, 7a, d7, 7c, c7, 7b as follows: 
(da) OR (b AND da) OR (7a AND be) OR (c7 AND 7b) 
calculate the third bit of b* 1 by using ab, 7b, ab , 7d, d7, 7c as follows: 
(ab) OR (7 AND ab) OR (7b AND cd) OR (d7 AND be) 
calculate the fourth bit of b" 1 by using be, 7c, b7, 7a, a7, 7d as follows: 
(be) OR (7 AND be) OR (7c AND 7a) OR (ab AND 7d) 
Besides being used in a DES-like system as shown in Figure 1, a dedicated 
system can be built around the non-linear algorithm of the invention. Such a system is shown 
in figure 8. In this system, the blocks are processed using the non-linear operation NL of the 
invention and a linear operation LIN. The first step is the non-linear operation. This is 
followed by an iteration of the linear operation followed by the non-linear operation. It is 
expected that a sufficiently safe system is achieved by performing six non-linear operations 
(i.e. using five rounds), provided that the linear operation mixes the data bits thoroughly. 
Preferably, 15 rounds are used. Each of the linear operations is the same. Also, each of the 
non-linear operations is the same, but each non-linear operation uses a different key of 128 
bits. Advantageously, keys are derived from one global key of, for instance, 256 bits, using 
a key schedule calculation. The same key is used for encryption as well as decryption. In 
most cases the key is provided using a smart-card. For the linear operation, advantageously, 
instead of a permutation a more complex matrix is used. As described before, in addition to 
the key, each non-linear operation may, optionally, use a constant C of 128 bits, which is 
split in the constants pj and dj. The constant may be the same for each operation. Advan- 
tageously, each non-linear operations is provided with a separate constant. The constants may 
be predetermined per system (e.g. a customer-specific constant). Alternatively, the constant 
is generated using a pseudo-random generator. 



